/** * Delete a role requires deleting all of the ACLs associated with this * role, and all of the group data for the role. * * @return bool|null|string */ public function delete() { if (canDelete('roles')) { // Delete all the children from this group return $this->_perms->deleteRole($this->role_id); } else { return false; //get_class($this) . '::delete failed - You do not have permission to delete this role'; } }
public function delete() { // Delete a role requires deleting all of the ACLs associated // with this role, and all of the group data for the role. if (canDelete('roles')) { // Delete all the children from this group return $this->perms->deleteRole($this->role_id); } else { return false; //get_class($this) . '::delete failed - You do not have permission to delete this role'; } }
?> </strong> </font> </td> </tr> </form> </table> <?php } else { // check permissions for this record $canReadProject = $perms->checkModuleItem('projects', 'view', $project_id); $canEditProject = $perms->checkModuleItem('projects', 'edit', $project_id); $canViewTasks = canView('tasks'); $canAddTasks = canAdd('tasks'); $canEditTasks = canEdit('tasks'); $canDeleteTasks = canDelete('tasks'); if (!$canReadProject) { $AppUI->redirect('m=public&a=access_denied'); } // check if this record has dependencies to prevent deletion $msg = ''; $obj = new CProject(); // Now check if the project is editable/viewable. $denied = $obj->getDeniedRecords($AppUI->user_id); if (in_array($project_id, $denied)) { $AppUI->redirect('m=public&a=access_denied'); } $canDeleteProject = $obj->canDelete($msg, $project_id); // get critical tasks (criteria: task_end_date) $criticalTasks = $project_id > 0 ? $obj->getCriticalTasks($project_id) : null; // get ProjectPriority from sysvals
* not allowed in the request parameters. */ $u = $AppUI->checkFileName(w2PgetCleanParam($_GET, 'u', '')); // load module based locale settings @(include_once W2P_BASE_DIR . '/locales/' . $AppUI->user_locale . '/locales.php'); include_once W2P_BASE_DIR . '/locales/core.php'; setlocale(LC_TIME, $AppUI->user_lang); $m_config = w2PgetConfig($m); // TODO: canRead/Edit assignements should be moved into each file // check overall module permissions // these can be further modified by the included action files $canAccess = canAccess($m); $canRead = canView($m); $canEdit = canEdit($m); $canAuthor = canAdd($m); $canDelete = canDelete($m); if (!$suppressHeaders) { // output the character set header if (isset($locale_char_set)) { header('Content-type: text/html;charset=' . $locale_char_set); } } // include the module class file - we use file_exists instead of @ so // that any parse errors in the file are reported, rather than errors // further down the track. $modclass = $AppUI->getModuleClass($m); if (file_exists($modclass)) { include_once $modclass; } if ($u && file_exists(W2P_BASE_DIR . '/modules/' . $m . '/' . $u . '/' . $u . '.class.php')) { include_once W2P_BASE_DIR . '/modules/' . $m . '/' . $u . '/' . $u . '.class.php';
if (!defined('W2P_BASE_DIR')) { die('You should not access this file directly.'); } $event_id = (int) w2PgetParam($_GET, 'event_id', 0); // check permissions for this record $perms =& $AppUI->acl(); $canRead = $perms->checkModuleItem($m, 'view', $event_id); if (!$canRead) { $AppUI->redirect('m=public&a=access_denied'); } $canEdit = $perms->checkModuleItem($m, 'edit', $event_id); // check if this record has dependencies to prevent deletion $msg = ''; $event = new CEvent(); $event->loadFull($event_id); $canDelete = canDelete($m, $event_id); // load the record data if (!$event) { $AppUI->setMsg('Event'); $AppUI->setMsg('invalidID', UI_MSG_ERROR, true); $AppUI->redirect(); } else { $AppUI->savePlace(); } //check if the user has view permission over the project if ($event->event_project && !$perms->checkModuleItem('projects', 'view', $event->event_project)) { $AppUI->redirect('m=public&a=access_denied'); } // load the event types $types = w2PgetSysVal('EventType'); // load the event recurs types
if (!defined('W2P_BASE_DIR')) { die('You should not access this file directly.'); } global $AppUI, $task_id, $sf, $df, $canEdit, $m; $perms =& $AppUI->acl(); if (!canView('task_log')) { $AppUI->redirect('m=public&a=access_denied'); } $problem = (int) w2PgetParam($_GET, 'problem', null); ?> <script language="javascript" type="text/javascript"> <?php // security improvement: // some javascript functions may not appear on client side in case of user not having write permissions // else users would be able to arbitrarily run 'bad' functions $canDelete = canDelete('task_log'); if ($canDelete) { ?> function delIt2(id) { if (confirm( '<?php echo $AppUI->_('doDelete', UI_OUTPUT_JS) . ' ' . $AppUI->_('Task Log', UI_OUTPUT_JS) . '?'; ?> ' )) { document.frmDelete2.task_log_id.value = id; document.frmDelete2.submit(); } } <?php } ?> </script>
$q->addInsert('history_date', "'" . $q->dbfnNowWithTZ() . "'"); $q->addInsert('history_description', $history_description); $q->addInsert('history_user', $userid); $q->addInsert('history_project', $history_project); $okMsg = 'History added'; } elseif ($action == 'update') { if (!canEdit('history')) { $AppUI->redirect('m=public&a=access_denied'); } $q->addTable('history'); $q->addUpdate('history_description', $history_description); $q->addUpdate('history_project', $history_project); $q->addWhere('history_id =' . $history_id); $okMsg = 'History updated'; } elseif ($action == 'del') { if (!canDelete('history')) { $AppUI->redirect('m=public&a=access_denied'); } $q->setDelete('history'); $q->addWhere('history_id =' . $history_id); $okMsg = 'History deleted'; } if (!$q->exec()) { $AppUI->setMsg(db_error()); } else { $AppUI->setMsg($okMsg); if ($action == 'add') { $q->clear(); } $q->addTable('history'); $q->addUpdate('history_item = history_id');
<?php /* $Id$ $URL$ */ if (!defined('W2P_BASE_DIR')) { die('You should not access this file directly.'); } $task_id = (int) w2PgetParam($_GET, 'task_id', 0); $task_log_id = (int) w2PgetParam($_GET, 'task_log_id', 0); $reminded = (int) w2PgetParam($_GET, 'reminded', 0); // check permissions for this record $canRead = canView($m, $task_id); $canEdit = canEdit($m, $task_id); $canDelete = canDelete($m, $task_id); if (!$canRead) { $AppUI->redirect('m=public&a=access_denied'); } $perms =& $AppUI->acl(); // check if this record has dependencies to prevent deletion $msg = ''; $obj = new CTask(); $obj->loadFull(null, $task_id); if (!$obj) { $AppUI->setMsg('Task'); $AppUI->setMsg('invalidID', UI_MSG_ERROR, true); $AppUI->redirect(); } else { $AppUI->savePlace(); } if (!$obj->canAccess($AppUI->user_id)) { $AppUI->redirect('m=public&a=access_denied'); }
<?php /* $Id$ $URL$ */ if (!defined('W2P_BASE_DIR')) { die('You should not access this file directly.'); } //view posts $forum_id = (int) w2PgetParam($_GET, 'forum_id', 0); $message_id = (int) w2PgetParam($_GET, 'message_id', 0); $post_message = (int) w2PgetParam($_GET, 'post_message', 0); $f = w2PgetParam($_POST, 'f', 0); // check permissions $perms =& $AppUI->acl(); $canAuthor = canAdd('forums'); $canDelete = canDelete('forums'); $canRead = $perms->checkModuleItem('forums', 'view', $forum_id); $canEdit = $perms->checkModuleItem('forums', 'edit', $forum_id); $canAdminEdit = canEdit('admin'); if (!$canRead) { $AppUI->redirect('m=public&a=access_denied'); } $forum = new CForum(); $forum->loadFull($AppUI, $forum_id); if (!$forum) { $AppUI->setMsg('Forum'); $AppUI->setMsg('invalidID', UI_MSG_ERROR, true); $AppUI->redirect(); } else { $AppUI->savePlace(); } $df = $AppUI->getPref('SHDATEFORMAT');
/* $Id$ $URL$ */ if (!defined('W2P_BASE_DIR')) { die('You should not access this file directly.'); } $AppUI->savePlace(); // pull all the key types $perms =& $AppUI->acl(); // Get the permissions for this module $canAccess = canAccess('roles'); if (!$canAccess) { $AppUI->redirect('m=public&a=access_denied'); } $canRead = canView('roles'); $canAdd = canAdd('roles'); $canEdit = canEdit('roles'); $canDelete = canDelete('roles'); $crole = new CSystem_Role(); $roles = $crole->getRoles(); $role_id = (int) w2PgetParam($_GET, 'role_id', 0); // setup the title block $titleBlock = new w2p_Theme_TitleBlock('Roles', 'main-settings.png', $m, $m . '.' . $a); $titleBlock->addCrumb('?m=system', 'System Admin'); $titleBlock->show(); $crumbs = array(); $crumbs['?m=system'] = 'System Admin'; ?> <script language="javascript" type="text/javascript"> <?php // security improvement: // some javascript functions may not appear on client side in case of user not having write permissions
<?php if (!defined('W2P_BASE_DIR')) { die('You should not access this file directly.'); } // @todo convert to template //view posts $forum_id = (int) w2PgetParam($_GET, 'forum_id', 0); $message_id = (int) w2PgetParam($_GET, 'message_id', 0); $post_message = (int) w2PgetParam($_GET, 'post_message', 0); $f = w2PgetParam($_POST, 'f', 0); // check permissions $perms =& $AppUI->acl(); $canAuthor = canAdd('forums'); $canDelete = canDelete('forums', $forum_id); $canRead = $perms->checkModuleItem('forums', 'view', $forum_id); $canEdit = $perms->checkModuleItem('forums', 'edit', $forum_id); $canAdminEdit = canEdit('system'); if (!$canRead) { $AppUI->redirect(ACCESS_DENIED); } $message = new CForum_Message(); $message->load($message_id); if (0 == $forum_id) { $forum_id = $message->message_forum; } $forum = new CForum(); $forum->load($forum_id); $project = new CProject(); $project->load($forum->forum_project); if (!$forum) {
public function canDelete($notUsed = null, $notUsed2 = null, $notUsed3 = null) { return canDelete('system'); }
/** * Determines whether the currently logged in user can delete this task log. * * @global AppUI $AppUI global user permissions * * @param string by ref $msg error msg to be populated on failure * @param int optional $oid key to check * @param array $joins optional list of tables to join on * * @return bool */ public function canDelete(&$msg, $oid = null, $joins = null) { global $AppUI; $q = new w2p_Database_Query(); // First things first. Are we allowed to delete? $acl =& $AppUI->acl(); if (!canDelete('task_log')) { $msg = $AppUI->_('noDeletePermission'); return false; } $k = $this->_tbl_key; if ($oid) { $this->{$k} = (int) $oid; } if (is_array($joins)) { $q->addTable($this->_tbl, 'k'); $q->addQuery($k); $i = 0; foreach ($joins as $table) { $table_alias = 't' . $i++; $q->leftJoin($table['name'], $table_alias, $table_alias . '.' . $table['joinfield'] . ' = ' . 'k' . '.' . $k); $q->addQuery('COUNT(DISTINCT ' . $table_alias . '.' . $table['idfield'] . ') AS ' . $table['idfield']); } $q->addWhere($k . ' = ' . $this->{$k}); $q->addGroup($k); $obj = null; $q->loadObject($obj); $q->clear(); if (!$obj) { $msg = db_error(); return false; } $msg = array(); foreach ($joins as $table) { $k = $table['idfield']; if ($obj->{$k}) { $msg[] = $AppUI->_($table['label']); } } if (count($msg)) { $msg = $AppUI->_('noDeleteRecord') . ': ' . implode(', ', $msg); return false; } } return true; }